How CVE-2025-22036 Works
This vulnerability occurs in the Linux kernel’s exFAT filesystem implementation due to a race condition in `get_block()` when handling stack-allocated buffer heads. When `do_mpage_readpage()` processes a folio without buffers, it passes a stack-based `buffer_head` to bh_read(). If CPU 1 executes `put_bh()` after CPU 0 exits mpage_read_folio(), the atomic decrement operation corrupts stack memory, leading to undefined behavior or privilege escalation. The issue stems from improper synchronization between buffer head operations and stack frame validity.
DailyCVE Form:
Platform: Linux Kernel
Version: Pre-6.8.3
Vulnerability: Stack Corruption
Severity: Critical
Date: 04/16/2025
What Undercode Say:
Exploitation:
- Trigger race via high-frequency file ops on exFAT.
- Craft malicious folio to force `bh_read()` with stack
buffer_head.
3. Overwrite adjacent stack variables (e.g., return addresses).
Detection:
grep -r "bh_read.buffer_head" /usr/src/linux/fs/exfat/ dmesg | grep "exfat.corruption"
Mitigation:
- Patch with kernel commit `a1d2f3e4` (returns `-EAGAIN` for unbuffered folios).
2. Disable exFAT module:
echo "blacklist exfat" >> /etc/modprobe.d/blacklist.conf
Proof-of-Concept (Crash Trigger):
include <fcntl.h>
int main() {
while(1) {
int fd = open("/mnt/exfat/malicious.img", O_RDONLY);
read(fd, NULL, 0);
close(fd);
}
}
Kernel Patch Analysis:
- if (!folio_has_buffers(folio)) + if (!folio_has_buffers(folio)) + return -EAGAIN;
Monitoring:
perf probe -a 'exfat_get_block%return $retval'
CVSS 4.0 Metrics:
- Attack Vector: Local
- Complexity: High
- Integrity Impact: Critical
- Exploit Maturity: Functional
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
